Monday, April 25, 2011

My latest project, OboxApps.com, a mobile app suite for LogicBoxes (LB) and Resellerclub (RClub) users, has to deal with the the awkward situation of storing the users credentials to make API calls on their behalf.

Searching turned up some great answers by ircmaxell on how to deal with situations like this:

Encrypt the password using the random salt with the method used in the Encryption class from answer 1 above.

Store the random salt and API username in the session.

Send the encrypted password to the client in a secure (HTTPS), httponly cookie.

The API credentials and the encrypted password cookie are transmitted over HTTPS to protect against any kind of sniffing and the httponly property of the encrypted password cookie ensures that client side JavaScript cannot access it through XSS attacks (although it is not supported by all browsers).

Additionally (as suggested by ircmaxell in a private conversation), I could also look at implementing the Secure Cookie Protocol (pdf) for the encrypted password cookie and ensure the salt is sufficiently strong by using a derivation function such as KDF3 on the random salt to prevent or at least curb brute force attacks against the key generator, but I think this is good enough for now.